Information security processes and controls are often not considered as part of the well-established change and configuration management frameworks. Organisations build secure technological infrastructures and conduct penetration testing to identify vulnerabilities, but there is often no ongoing security maintenance leading to security failures. These failures can be put down to a number of inherent issues:
Increased security concerns have a direct consequence on the number of changes (i.e. patch installations to remediate vulnerabilities, configuration changes to block attacks, etc.) requested. Often these changes are planned, driven by security or compliance requirements, the introduction of advanced technologies or other requirements, but sometimes the changes are driven by urgency when systems/applications/networks are under attack.
CMA will work with organisations to develop a comprehensive and effective security change management program.